cancel
Showing results for 
Search instead for 
Did you mean: 

RFC connection fails with error ICM_HTTP_SSL_ERROR in SAP XI/PI system

Former Member
0 Kudos

Hi Team,

RFC connections GB_DPSRETRIEVE and GB_DPS which connects to govt gateway are not working from past 4 days these connections are failing with error ICM_HTTP_SSL_ERROR,we have not changed any thing from our side,we had similar issue in January 2010 where SAP has released note saying HMRC have renewed the existing Government Gateway Security Certificate for DPS which we have already renewed.Kindly let me know if some one had similar problem

Please find ICM trace details below:

[Thr 8] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn_mt.c 2012]

[Thr 12] Fri Oct 15 14:45:10 2010

[Thr 12] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 12] session uses PSE file "/usr/sap/XID/DVEBMGS95/sec/SAPSSLA.pse"

[Thr 12] SecudeSSL_SessionStart: SSL_connect() failed

secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

[Thr 12] >> Begin of Secude-SSL Errorstack >>

[Thr 12] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed

ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : "OU=Class 3 Public Primary Certification Auth

ERROR in get_path: (24/0x0018) Can't get path because the chain of certificates is incomplete

[Thr 12] << End of Secude-SSL Errorstack

[Thr 12] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 12] SSL socket: local=10.196.66.25:57991 peer=10.196.3.3:8000

[Thr 12] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x1068b6050)==SSSLERR_SSL_CONNECT

[Thr 12] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn_mt.c 2012]

[Thr 12] Fri Oct 15 14:48:35 2010

[Thr 12] *** ERROR during SecudeSSL_SessionStart() from SSL_connect()==SSL_ERROR_SSL

[Thr 12] session uses PSE file "/usr/sap/XID/DVEBMGS95/sec/SAPSSLA.pse"

[Thr 12] SecudeSSL_SessionStart: SSL_connect() failed

secude_error 9 (0x00000009) = "the verification of the server's certificate chain failed"

[Thr 12] >> Begin of Secude-SSL Errorstack >>

[Thr 12] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed

ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : "OU=Class 3 Public Primary Certification Auth

ERROR in get_path: (24/0x0018) Can't get path because the chain of certificates is incomplete

[Thr 12] << End of Secude-SSL Errorstack

[Thr 12] SSL_get_state() returned 0x00002131 "SSLv3 read server certificate B"

[Thr 12] SSL socket: local=10.196.66.25:58180 peer=10.196.3.3:8000

[Thr 12] <<- ERROR: SapSSLSessionStart(sssl_hdl=0x1068b6050)==SSSLERR_SSL_CONNECT

[Thr 12] *** ERROR => IcmConnInitClientSSL: SapSSLSessionStart failed (-57): SSSLERR_SSL_CONNECT [icxxconn_mt.c 2012]

Thanks & Regards,

Sree

Accepted Solutions (0)

Answers (7)

Answers (7)

Former Member
0 Kudos

Hi Sreedhar,

This is the problem with the certificate, HMRC has provided a new link  for DPS i.e in SM59, Target host should be updated to dps.ws.hmrc.gov.uk and check the SAP Note 1693957 for the new certificate to be installed into the PI system.

Note that dowload both the cetificate  i.e the dps cetificate provided in the SAP Note and its immediate parent certificate. Its so happened in my case that only one certifcate did not work.

Regards,

Nitin Rao

Former Member
0 Kudos

In STRUST you must add CA certificates into SSL Client PSE as well.

Former Member
0 Kudos

Hi Sreedhar,

This error related to your application SSL certificate. So contact your basis adminstrator and send error details to them.

Thank you very much.

Sateesh

Former Member
0 Kudos

Hi Friends,

Thanks for your replies,I've found announcement on HMRC site about DPS issue.

Please find announcement details below:

New issues (updated 20 October)

Data Provisioning Service (DPS) u2013 P6 coding notices

We have temporarily suspended the issue of any new P6s into DPS due to a technical issue. We are investigating urgently and will restore normal service as soon as this has been rectified. HMRC apologises for any inconvenience this may cause.

http://customs.hmrc.gov.uk/channelsPortalWebApp/channelsPortalWebApp.portal?_nfpb=true&_pageLabel=pa...

Please update this message if you have heard any updates from HMRC.

Thanks & Regards,

Sree

markangelo_dihiansan
Active Contributor
0 Kudos

Hi,

The error you are experiencing is because of an incomplete installation of certificates in STRUST. To view a certificate properly, double-click on it and then go to the certification path tab. There you will see as to how many layers your end certificate have before reaching the rootCA. e.g If your certificate path looks like this:


RootCA
    | _ _ IntermediateCA
                       | _ _ _ _ EndCertificate

Then you need to:

1. Extract the IntermediateCA and RootCA by viewing the certificate and copying (located under the details tab) them

2. Install both the RootCA and IntermediateCA in the STRUST

3, Perform an ICMRestart and then test the connection again

Hope this helps,

Former Member
0 Kudos

hi sree

HMRC are currently experiencing a problem with that particular site and i suspect when they fix that your connections will work again.

each particular "child" site in HMRC that serves a different purpose will request/require different SSL certificates.

therefore whilst DPS is broken, another server/site will process your certificate and reply that it is invalid whereas it is valid til 2011 and perfectly fine.

we have the same issue and SAP/HMRC have confirmed there is an internal issue with DPS

there are no new codes so don't worry

thanks

Former Member
0 Kudos

Hi,

It looks a certificate issue from the error details

the verification of the server's certificate chain failed

ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete : "OU=Class 3 Public Primary Certification Auth

ERROR in get_path: (24/0x0018) Can't get path because the chain of certificates is incomplete

But also check the firewall at both end .

Regards,

Vishal